Invalid configuration error when Cloudflare Proxy enabled

Discussions
1

The issue has already been posted several times here; however, no one mentions my reason for keeping the proxy on.

Cloudflare provides me with free unlimited CDN services. If I disable the proxy, I will be limited by Vercel’s allocated resources. Therefore, I need to keep the Cloudflare proxy enabled. Now, regarding the question of moving entirely to Cloudflare, it is not related to this discussion. I need to keep the Cloudflare proxy on, regardless of Vercel’s recommendations. My specific use case is fully supported with the Cloudflare proxy enabled. Does the “Invalid Configuration” error impact availability, or is it just a warning and everything continues to work like before?

4

Welcome, @revancedapp to the community!

The error is just a warning. It’s purely a diagnostic warning because Vercel expects direct DNS pointing, not proxied traffic.

When Cloudflare proxy is enabled:

  • Vercel can’t verify domain ownership through the proxy
  • Vercel sees Cloudflare’s IPs instead of direct DNS pointing
  • SSL is handled by Cloudflare, not Vercel

Let us know if you have any other questions!

5

Thanks for clarifying @pawlean. But in my experience, this is not purely cosmetic. After a while, when Vercel reports an invalid configuration, Cloudflare reports an invalid TLS certificate from the origin server (Vercel). I feel like this is because the certificate of the Vercel origin server has expired, and Vercel is unable to renew it because Cloudflare proxies the origin. Can you confirm whether this hypothesis is sound and if there is anything to resolve this issue?

6

Hi ReVanced,

Your hypothesis is plausible. I would not treat the warning as purely cosmetic if Cloudflare later starts reporting the Vercel origin certificate as invalid.

With Cloudflare orange-cloud proxying enabled, public DNS returns Cloudflare IPs instead of the direct Vercel target, so Vercel can’t fully see/verify the DNS configuration in the normal way. The site may continue to work for a while, but certificate renewal and domain diagnostics can become harder to reason about.

The cleanest test is to temporarily switch the Cloudflare records to DNS only and check whether Vercel moves the domain back to valid configuration and renews/serves a valid certificate:

dig A example.com +short
dig CNAME www.example.com +short

openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates -issuer -subject

When Cloudflare proxy is enabled, dig should show Cloudflare IPs. When DNS-only is enabled, the apex/subdomain should resolve to the Vercel values shown in the dashboard.

If DNS-only fixes the Vercel certificate state, then the proxy is very likely part of the renewal/validation problem. At that point the stable setup is either:

  1. keep Cloudflare DNS-only for the Vercel domain, or

  2. keep the proxy on but accept that Vercel may continue showing invalid configuration and that origin TLS problems can happen again.

Vercel’s guidance is pretty direct that using another reverse proxy in front of Vercel is possible, but not recommended:
https://vercel.com/kb/guide/cloudflare-with-vercel

Does switching the record to DNS-only temporarily make Vercel renew the certificate successfully?

7

To clarify why I have CloudFlare proxy on:

I actually use Vercel as a thin tunnel. What this means is my practice:

  1. I have created a CloudFlare worker. But CloudFlare workers exist before the edge cache. This means, they are subject to a very low limit of requests, just like Vercel. I cannot get the worker to be cached behind the CDN.
  2. So what I do is have Vercel proxy the requests with a small function, just pass the request to the worker. Once again, Vercel functions have a limit of requests, so I must put it in front of a free Edge cache like CloudFlare.
  3. Finally, I setup DNS for the Vercel function, to be proxied by CloudFlare. Because the worker is now proxied by Vercel and does not live in the internal network of CloudFlare, effectively both, the Vercel function and CloudFlare function are behind the CDN of CloudFlare. Unlimited requests, for free.

In other words, Vercel’s reasons to disable the proxy, do not cover my scenario. I am forced to use CloudFlare’s CDN, because Vercel does not offer unlimited free CDN. Without it, I hit limits in a couple hours, at my scale.

That said, I am not sure if Vercel provides the option to configure SSL/TLS. If so, I would like to use CloudFlare’s certificates. These are long lived, for years, and so not cause said issue with short lived TLS certificates. Disabling CloudFlare’s proxy is not an option. I would exhaust limits quite quickly. But TLS certification does not even require the proxy to be disabled, because the issuer should be able to verify the origin with the proxy on as well. What process does Vercel follow to be issued a TLS certificate? Possibly this is something I can proxy.

8

Hi ReVanced,

I can’t confirm Vercel’s internal renewal state, but the certificate flow you’re asking about is documented: Vercel uses Let’s Encrypt. For normal non-wildcard custom domains it uses the HTTP-01 ACME challenge, which means Let’s Encrypt needs to be able to reach:

http://your-domain.com/.well-known/acme-challenge/*

So with Cloudflare proxy enabled, the important part is not “can Let’s Encrypt see Vercel DNS directly?” but “does that ACME challenge request pass through Cloudflare to Vercel without being redirected, blocked, rewritten, or cached incorrectly?”

I would check these Cloudflare rules specifically:

/.well-known/acme-challenge/*

For that path, I’d avoid Worker handling, redirects, WAF challenges, cache rules, Always Use HTTPS redirects, or anything that changes the request before it reaches Vercel. If that path does not reach Vercel cleanly over HTTP, Vercel’s automatic certificate renewal can fail even if the rest of your site works through Cloudflare.

On custom certificates: Vercel does support uploading custom SSL certificates, but the docs say that is an Enterprise feature. Vercel also does not automatically renew custom uploaded certificates. So unless you are on Enterprise, I would not expect there to be a supported way to make Vercel serve a Cloudflare Origin Certificate instead of Vercel’s automatically managed certificate.

Docs page for the certificate behavior:
https://vercel.com/docs/domains/working-with-ssl

One important caveat: I would not rely on Vercel as a “thin tunnel” to work around platform limits. Even if Cloudflare caches the outer response, requests that miss cache or vary by headers/query/auth can still hit the Vercel Function, and putting another reverse proxy in front also makes domain validation and security behavior harder to reason about.

If you want to test whether the ACME path is the blocker, I’d add a temporary route/static file under /.well-known/acme-challenge/test and confirm that Cloudflare serves the exact Vercel response with no Worker, redirect, cache mutation, or challenge applied.